VLAN Hopping

Virtualization has become ubiquitous in the IT sector, and networking is no exception. Virtual Local Access Networks (VLANs) are widely used in today’s digitally driven environment. If you’re a managed services provider (MSP) configuring VLANs for your clients, it’s essential to be aware of VLAN security considerations and vulnerabilities. The primary threat that this type of network faces is VLAN hopping—this article will explain how it works and how to prevent it.

Is VLAN secure?

A Local Area Network (LAN) connects a group of computers in a single physical location to a server using Ethernet cables or wireless internet. In contrast, a VLAN is a group of devices on multiple LAN sections that behave as if they are on a single LAN. Computers in the VLAN may be separated by bridges, routers, or switches and may be housed in different locations. Compared to LANs, VLANs have the advantage of reducing network traffic and collisions, as well as being more cost effective.

Moreover, a VLAN can also bring added security. When devices are separated into multiple VLANs—often by department—it’s easier to prevent a compromised computer from infecting the entire network. Nevertheless, VLANs do come with some unique security risks that MSPs must keep in mind. The most important risk to consider is VLAN hopping.

What is the easiest way for an attacker to perform VLAN hopping?

What is VLAN hopping? In a VLAN hopping attack, a hacker connected to one VLAN gains access to other VLANs that they do not have permission to enter. In a secure VLAN, each computer is connected to one switch access port. Each computer can only send traffic to their specific connected port by accessing a single VLAN. However, with VLAN hopping, an attacker is able to send packets to ports that are not normally accessible, penetrating other VLANs. VLAN hopping can be accomplished in one of two ways:

  • Switch SpoofingWith a switch spoofing method, an attacker imitates a trunking switch by using the VLAN’s tagging and trunking protocol (Multiple VLAN Registration Protocol, IEEE 802.1Q, or Dynamic Trunking Protocol). By forming a trunk link, the hacker can gain access to traffic from all of the VLANs.
  • Double TaggingVLAN double tagging exploits 802.1Q tagging, taking advantage of the fact that some switches only remove one 802.1Q tag. In a double tagging attack, the hacker appends two VLAN tags rather than the usual one. The outer tag (which belongs to the attack’s own VLAN) is removed, leaving the inner tag of the victim’s VLAN to be forwarded to the trunk link. When the switch encounters the packet, it sees the second tag and allows the hacker access to the victim’s VLAN.

How does VLAN hopping cause a vulnerability in the network?

VLAN hopping is a significant security threat. It lets malicious actors gain access to networks that they don’t have permission to enter. A hacker can then steal passwords or other protected information; install malware and spyware; spread Trojan horses, worms, and viruses; or corrupt, modify, or delete critical data. To maintain secure VLANs, it’s clear that MSPs need to know how to neutralize this threat.

How can VLAN hopping be prevented?

Fortunately, there are a few effective methods to prevent VLAN hopping. Different techniques are used to deal with each type of VLAN hopping attack. To prevent switch spoofing, disable Dynamic Trunking Protocol to ensure that ports will not automatically negotiate trunks. You should also make certain that any port that is not intended to be a trunk is explicitly set up to be an access port.

Double tagging can be prevented using a three-step process. First, avoid putting any hosts on the default VLAN (VLAN 1). Second, be sure that the native VLAN on every trunk port is an unused VLAN ID. Finally, enable explicit tagging of the native VLAN for all trunk ports.

Check out the rest of our blog to learn about other considerations for a Virtual Local Area Network.